Add user names, team-scoped sandbox guard, and login robustness fixes

- Add name column to users (migration + sqlc regen); propagate through JWT claims, auth context, all auth/OAuth handlers, service layer, and frontend - Sidebar and team page show name instead of email; team page splits Name/Email into separate columns - Block sandbox creation in UI and API when user has no active team context - loginTeam helper falls back to first active team when no default is set, fixing login for invited users with no is_default membership - Exclude soft-deleted teams from GetDefaultTeamForUser, GetBYOCTeams queries - Guard host creation against soft-deleted teams in service/host.go - SwitchTeam re-fetches name from DB instead of trusting stale JWT claim - Reset teams store on login so stale data from a previous session never persists - Update openapi.yaml: add name to SignupRequest and AuthResponse schemas
2026-03-24 16:56:10 +06:00
parent aaeccd32ce
commit 3932bc056e
26 changed files with 228 additions and 77 deletions
--- a/db/migrations/20260324100234_user_names.sql
+++ b/db/migrations/20260324100234_user_names.sql
@ -0,0 +1,5 @@
 -- +goose Up
 ALTER TABLE users ADD COLUMN name TEXT NOT NULL DEFAULT '';
 -- +goose Down
 ALTER TABLE users DROP COLUMN name;
--- a/db/queries/teams.sql
+++ b/db/queries/teams.sql
@ -13,14 +13,14 @@ VALUES ($1, $2, $3, $4);
 -- name: GetDefaultTeamForUser :one
 SELECT t.* FROM teams t
 JOIN users_teams ut ON ut.team_id = t.id
-WHERE ut.user_id = $1 AND ut.is_default = TRUE
+WHERE ut.user_id = $1 AND ut.is_default = TRUE AND t.deleted_at IS NULL
 LIMIT 1;
 -- name: SetTeamBYOC :exec
 UPDATE teams SET is_byoc = $2 WHERE id = $1;
 -- name: GetBYOCTeams :many
-SELECT * FROM teams WHERE is_byoc = TRUE ORDER BY created_at;
+SELECT * FROM teams WHERE is_byoc = TRUE AND deleted_at IS NULL ORDER BY created_at;
 -- name: GetTeamMembership :one
 SELECT * FROM users_teams WHERE user_id = $1 AND team_id = $2;
@ -42,7 +42,7 @@ WHERE ut.user_id = $1 AND t.deleted_at IS NULL
 ORDER BY ut.created_at;
 -- name: GetTeamMembers :many
-SELECT u.id, u.email, ut.role, ut.created_at AS joined_at
+SELECT u.id, u.name, u.email, ut.role, ut.created_at AS joined_at
 FROM users_teams ut
 JOIN users u ON u.id = ut.user_id
 WHERE ut.team_id = $1
--- a/db/queries/users.sql
+++ b/db/queries/users.sql
@ -1,6 +1,6 @@
 -- name: InsertUser :one
-INSERT INTO users (id, email, password_hash)
+INSERT INTO users (id, email, password_hash, name)
-VALUES ($1, $2, $3)
+VALUES ($1, $2, $3, $4)
 RETURNING *;
 -- name: GetUserByEmail :one
@ -10,8 +10,8 @@ SELECT * FROM users WHERE email = $1;
 SELECT * FROM users WHERE id = $1;
 -- name: InsertUserOAuth :one
-INSERT INTO users (id, email)
+INSERT INTO users (id, email, name)
-VALUES ($1, $2)
+VALUES ($1, $2, $3)
 RETURNING *;
 -- name: SetUserAdmin :exec
@ -37,3 +37,6 @@ SELECT EXISTS(
 -- name: SearchUsersByEmailPrefix :many
 SELECT id, email FROM users WHERE email LIKE $1 || '%' ORDER BY email LIMIT 10;
 -- name: UpdateUserName :exec
 UPDATE users SET name = $2, updated_at = NOW() WHERE id = $1;
--- a/frontend/src/lib/api/auth.ts
+++ b/frontend/src/lib/api/auth.ts
@ -3,6 +3,7 @@ export type AuthResponse = {
 	user_id: string;
 	team_id: string;
 	email: string;
 	name: string;
 };
 export type AuthResult = { ok: true; data: AuthResponse } | { ok: false; error: string };
@ -11,8 +12,8 @@ export async function apiLogin(email: string, password: string): Promise<AuthRes
 	return authFetch('/api/v1/auth/login', { email, password });
 }
-export async function apiSignup(email: string, password: string): Promise<AuthResult> {
+export async function apiSignup(email: string, password: string, name: string): Promise<AuthResult> {
-	return authFetch('/api/v1/auth/signup', { email, password });
+	return authFetch('/api/v1/auth/signup', { email, password, name });
 }
 async function authFetch(url: string, body: Record<string, string>): Promise<AuthResult> {
--- a/frontend/src/lib/api/team.ts
+++ b/frontend/src/lib/api/team.ts
@ -2,6 +2,7 @@ import { apiFetch, type ApiResult } from '$lib/api/client';
 export type TeamMember = {
 	user_id: string;
 	name: string;
 	email: string;
 	role: 'owner' | 'admin' | 'member';
 	joined_at: string;
@ -42,7 +43,7 @@ export async function createTeam(name: string): Promise<ApiResult<TeamWithRole>>
 export async function switchTeam(
 	teamId: string
-): Promise<ApiResult<{ token: string; user_id: string; team_id: string; email: string }>> {
+): Promise<ApiResult<{ token: string; user_id: string; team_id: string; email: string; name: string }>> {
 	return apiFetch('POST', '/api/v1/auth/switch-team', { team_id: teamId });
 }
--- a/frontend/src/lib/auth.svelte.ts
+++ b/frontend/src/lib/auth.svelte.ts
@ -4,7 +4,8 @@ const STORAGE_KEYS = {
 	token: 'wrenn_token',
 	userId: 'wrenn_user_id',
 	teamId: 'wrenn_team_id',
-	email: 'wrenn_email'
+	email: 'wrenn_email',
 	name: 'wrenn_name'
 } as const;
 function isTokenExpired(token: string): boolean {
@ -23,6 +24,7 @@ function createAuth() {
 	let userId = $state<string | null>(null);
 	let teamId = $state<string | null>(null);
 	let email = $state<string | null>(null);
 	let name = $state<string | null>(null);
 	let initialized = $state(false);
 	// Initialize from localStorage synchronously at module load.
@ -33,6 +35,7 @@ function createAuth() {
 			userId = localStorage.getItem(STORAGE_KEYS.userId);
 			teamId = localStorage.getItem(STORAGE_KEYS.teamId);
 			email = localStorage.getItem(STORAGE_KEYS.email);
 			name = localStorage.getItem(STORAGE_KEYS.name);
 		} else if (stored) {
 			// Expired — clean up.
 			for (const key of Object.values(STORAGE_KEYS)) {
@ -57,6 +60,9 @@ function createAuth() {
 		get email() {
 			return email;
 		},
 		get name() {
 			return name;
 		},
 		get isAuthenticated() {
 			return isAuthenticated;
 		},
@ -64,16 +70,18 @@ function createAuth() {
 			return initialized;
 		},
-		login(data: { token: string; user_id: string; team_id: string; email: string }) {
+		login(data: { token: string; user_id: string; team_id: string; email: string; name: string }) {
 			token = data.token;
 			userId = data.user_id;
 			teamId = data.team_id;
 			email = data.email;
 			name = data.name;
 			localStorage.setItem(STORAGE_KEYS.token, data.token);
 			localStorage.setItem(STORAGE_KEYS.userId, data.user_id);
 			localStorage.setItem(STORAGE_KEYS.teamId, data.team_id);
 			localStorage.setItem(STORAGE_KEYS.email, data.email);
 			localStorage.setItem(STORAGE_KEYS.name, data.name);
 		},
 		logout() {
@ -81,6 +89,7 @@ function createAuth() {
 			userId = null;
 			teamId = null;
 			email = null;
 			name = null;
 			for (const key of Object.values(STORAGE_KEYS)) {
 				localStorage.removeItem(key);
--- a/frontend/src/lib/components/Sidebar.svelte
+++ b/frontend/src/lib/components/Sidebar.svelte
@ -27,7 +27,7 @@
 	let teamPopoverOpen = $state(false);
 	let currentTeamName = $derived(teamsStore.list.find((t) => t.id === auth.teamId)?.name ?? '');
-	let userName = $derived(auth.email ?? '');
+	let userName = $derived(auth.name || auth.email || '');
 	// Create team dialog
 	let showCreateTeam = $state(false);
--- a/frontend/src/lib/teams.svelte.ts
+++ b/frontend/src/lib/teams.svelte.ts
@ -24,6 +24,10 @@ function createTeamsStore() {
 		set(newTeams: TeamWithRole[]) {
 			teams = newTeams;
 			loaded = true;
 		},
 		reset() {
 			teams = [];
 			loaded = false;
 		}
 	};
 }
--- a/frontend/src/routes/auth/github/callback/+page.svelte
+++ b/frontend/src/routes/auth/github/callback/+page.svelte
@ -2,6 +2,7 @@
 	import { goto } from '$app/navigation';
 	import { page } from '$app/stores';
 	import { auth } from '$lib/auth.svelte';
 	import { teams } from '$lib/teams.svelte';
 	const params = $page.url.searchParams;
 	const error = params.get('error');
@ -13,9 +14,11 @@
 		const userId = params.get('user_id');
 		const teamId = params.get('team_id');
 		const email = params.get('email');
 		const name = params.get('name') ?? '';
 		if (token && userId && teamId && email) {
-			auth.login({ token, user_id: userId, team_id: teamId, email });
+			teams.reset();
 			auth.login({ token, user_id: userId, team_id: teamId, email, name });
 			goto('/dashboard');
 		} else {
 			goto('/login?error=missing_token');
--- a/frontend/src/routes/dashboard/capsules/+page.svelte
+++ b/frontend/src/routes/dashboard/capsules/+page.svelte
@ -2,6 +2,7 @@
 	import Sidebar from '$lib/components/Sidebar.svelte';
 	import { onMount } from 'svelte';
 	import { toast } from '$lib/toast.svelte';
 	import { auth } from '$lib/auth.svelte';
 	import {
 		listCapsules,
 		createCapsule,
@ -440,7 +441,9 @@
 						<button
 							onclick={() => { showCreateDialog = true; createError = null; }}
-							class="flex items-center gap-2 rounded-[var(--radius-button)] bg-[var(--color-accent)] px-4 py-2 text-ui font-semibold text-white transition-all duration-150 hover:brightness-115 hover:-translate-y-px active:translate-y-0"
+							disabled={!auth.teamId}
 							title={!auth.teamId ? 'No active team — re-authenticate to create capsules' : undefined}
 							class="flex items-center gap-2 rounded-[var(--radius-button)] bg-[var(--color-accent)] px-4 py-2 text-ui font-semibold text-white transition-all duration-150 hover:brightness-115 hover:-translate-y-px active:translate-y-0 disabled:pointer-events-none disabled:opacity-40"
 						>
 							<svg width="13" height="13" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2.5" stroke-linecap="round" stroke-linejoin="round">
 								<line x1="12" y1="5" x2="12" y2="19" /><line x1="5" y1="12" x2="19" y2="12" />
@ -494,7 +497,8 @@
 								</p>
 								<button
 									onclick={() => { showCreateDialog = true; createError = null; }}
-									class="mt-6 flex items-center gap-2 rounded-[var(--radius-button)] bg-[var(--color-accent)] px-5 py-2.5 text-ui font-semibold text-white transition-all duration-150 hover:brightness-115 hover:-translate-y-px active:translate-y-0"
+									disabled={!auth.teamId}
 								class="mt-6 flex items-center gap-2 rounded-[var(--radius-button)] bg-[var(--color-accent)] px-5 py-2.5 text-ui font-semibold text-white transition-all duration-150 hover:brightness-115 hover:-translate-y-px active:translate-y-0 disabled:pointer-events-none disabled:opacity-40"
 								>
 									Launch a Capsule
 									<svg width="12" height="12" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2.5" stroke-linecap="round" stroke-linejoin="round">
--- a/frontend/src/routes/dashboard/team/+page.svelte
+++ b/frontend/src/routes/dashboard/team/+page.svelte
@ -209,8 +209,8 @@
 			);
 			toast.success(
 				newRole === 'admin'
-					? `${member.email} is now an admin`
+					? `${member.name || member.email} is now an admin`
-					: `${member.email} is now a member`
+					: `${member.name || member.email} is now a member`
 			);
 		} else {
 			toast.error(result.error);
@ -675,12 +675,17 @@
 						>
 							<!-- Table header -->
 							<div
-								class="grid grid-cols-[1fr_120px_140px_120px] border-b border-[var(--color-border)] bg-[var(--color-bg-3)]"
+								class="grid grid-cols-[1fr_1fr_120px_140px_120px] border-b border-[var(--color-border)] bg-[var(--color-bg-3)]"
 							>
 								<div
 									class="px-5 py-3 text-label font-semibold uppercase tracking-[0.05em] text-[var(--color-text-muted)]"
 								>
-									Member
+									Name
 								</div>
 								<div
 									class="px-4 py-3 text-label font-semibold uppercase tracking-[0.05em] text-[var(--color-text-muted)]"
 								>
 									Email
 								</div>
 								<div
 									class="px-4 py-3 text-label font-semibold uppercase tracking-[0.05em] text-[var(--color-text-muted)]"
@ -699,15 +704,15 @@
 							{#each members as member, i (member.user_id)}
 								<div
-									class="grid grid-cols-[1fr_120px_140px_120px] items-center border-b border-[var(--color-border)] transition-colors duration-150 hover:bg-[var(--color-bg-3)] last:border-b-0 {recentlyAddedId === member.user_id ? 'member-flash' : ''}"
+									class="grid grid-cols-[1fr_1fr_120px_140px_120px] items-center border-b border-[var(--color-border)] transition-colors duration-150 hover:bg-[var(--color-bg-3)] last:border-b-0 {recentlyAddedId === member.user_id ? 'member-flash' : ''}"
 									in:fly={{ y: 6, duration: 200, delay: i * 30, easing: cubicOut }}
 									out:fly={{ x: -16, duration: 180, easing: cubicOut }}
 								>
-									<!-- Email -->
+									<!-- Name -->
 									<div class="min-w-0 px-5 py-4">
 										<div class="flex min-w-0 items-center gap-2">
 											<span class="truncate text-ui text-[var(--color-text-bright)]"
-												>{member.email}</span
+												>{member.name || member.email}</span
 											>
 											{#if member.user_id === auth.userId}
 												<span class="shrink-0 rounded-[2px] bg-[var(--color-bg-4)] px-1.5 py-0.5 text-badge font-semibold uppercase tracking-[0.05em] text-[var(--color-text-muted)]">you</span>
@ -715,6 +720,11 @@
 										</div>
 									</div>
 									<!-- Email -->
 									<div class="min-w-0 px-4 py-4">
 										<span class="truncate font-mono text-ui text-[var(--color-text-secondary)]">{member.email}</span>
 									</div>
 									<!-- Role badge -->
 									<div class="px-4 py-4">
 										{#if updatingRoleId === member.user_id}
@ -1092,7 +1102,7 @@
 			</h2>
 			<p class="mt-2 text-ui text-[var(--color-text-tertiary)]">
 				Remove <span class="font-medium text-[var(--color-text-secondary)]"
-					>{removeTarget.email}</span
+					>{removeTarget.name || removeTarget.email}</span
 				> from the team? They will lose access immediately.
 			</p>
--- a/frontend/src/routes/login/+page.svelte
+++ b/frontend/src/routes/login/+page.svelte
@ -3,11 +3,13 @@
 	import { onMount } from 'svelte';
 	import { page } from '$app/stores';
 	import { auth } from '$lib/auth.svelte';
 	import { teams } from '$lib/teams.svelte';
 	import { apiLogin, apiSignup } from '$lib/api/auth';
 	import {
 		IconGithub,
 		IconMail,
 		IconLock,
 		IconUser,
 		IconEye,
 		IconEyeOff
 	} from '$lib/components/icons';
@ -15,6 +17,7 @@
 	let mode: 'signin' | 'signup' = $state('signin');
 	let email = $state('');
 	let password = $state('');
 	let name = $state('');
 	let showPassword = $state(false);
 	let error = $state('');
 	let loading = $state(false);
@ -77,6 +80,7 @@
 	function switchMode() {
 		mode = mode === 'signin' ? 'signup' : 'signin';
 		error = '';
 		name = '';
 	}
 	async function handleSubmit(e: Event) {
@ -87,7 +91,7 @@
 		const result =
 			mode === 'signin'
 				? await apiLogin(email, password)
-				: await apiSignup(email, password);
+				: await apiSignup(email, password, name);
 		loading = false;
@ -96,6 +100,7 @@
 			return;
 		}
 		teams.reset();
 		auth.login(result.data);
 		goto('/dashboard');
 	}
@ -204,6 +209,22 @@
 			<!-- Form -->
 			<form onsubmit={handleSubmit} class="space-y-3">
 				{#if mode === 'signup'}
 					<div class="group relative">
 						<div
 							class="pointer-events-none absolute left-3 top-1/2 -translate-y-1/2 text-[var(--color-text-muted)] transition-colors duration-150 group-focus-within:text-[var(--color-accent)]"
 						>
 							<IconUser size={14} />
 						</div>
 						<input
 							type="text"
 							bind:value={name}
 							placeholder="Full name"
 							autocomplete="name"
 							class="w-full rounded-[var(--radius-input)] border border-[var(--color-border)] bg-[var(--color-bg-2)] py-3 pl-9 pr-3 text-body text-[var(--color-text-bright)] outline-none transition-all duration-150 placeholder:text-[var(--color-text-muted)] focus:border-[var(--color-accent)]"
 						/>
 					</div>
 				{/if}
 				<div class="group relative">
 					<div
 						class="pointer-events-none absolute left-3 top-1/2 -translate-y-1/2 text-[var(--color-text-muted)] transition-colors duration-150 group-focus-within:text-[var(--color-accent)]"
--- a/internal/api/handlers_auth.go
+++ b/internal/api/handlers_auth.go
@ -1,6 +1,7 @@
 package api
 import (
 	"context"
 	"errors"
 	"net/http"
 	"strings"
@ -15,6 +16,41 @@ import (
 	"git.omukk.dev/wrenn/sandbox/internal/id"
 )
 // loginTeam returns the team and role to stamp into a login JWT.
 // It prefers the user's default team; if none is flagged as default it falls
 // back to the earliest-joined team. Returns pgx.ErrNoRows when the user has
 // no team memberships at all.
 func loginTeam(ctx context.Context, q *db.Queries, userID string) (db.Team, string, error) {
 	team, err := q.GetDefaultTeamForUser(ctx, userID)
 	if err == nil {
 		membership, err := q.GetTeamMembership(ctx, db.GetTeamMembershipParams{UserID: userID, TeamID: team.ID})
 		if err != nil {
 			return db.Team{}, "", err
 		}
 		return team, membership.Role, nil
 	}
 	if !errors.Is(err, pgx.ErrNoRows) {
 		return db.Team{}, "", err
 	}
 	// No default set — fall back to earliest-joined team.
 	rows, err := q.GetTeamsForUser(ctx, userID)
 	if err != nil {
 		return db.Team{}, "", err
 	}
 	if len(rows) == 0 {
 		return db.Team{}, "", pgx.ErrNoRows
 	}
 	first := rows[0]
 	return db.Team{
 		ID:        first.ID,
 		Name:      first.Name,
 		Slug:      first.Slug,
 		IsByoc:    first.IsByoc,
 		CreatedAt: first.CreatedAt,
 		DeletedAt: first.DeletedAt,
 	}, first.Role, nil
 }
 type switchTeamRequest struct {
 	TeamID string `json:"team_id"`
 }
@ -32,6 +68,7 @@ func newAuthHandler(db *db.Queries, pool *pgxpool.Pool, jwtSecret []byte) *authH
 type signupRequest struct {
 	Email    string `json:"email"`
 	Password string `json:"password"`
 	Name     string `json:"name"`
 }
 type loginRequest struct {
@ -44,6 +81,7 @@ type authResponse struct {
 	UserID string `json:"user_id"`
 	TeamID string `json:"team_id"`
 	Email  string `json:"email"`
 	Name   string `json:"name"`
 }
 // Signup handles POST /v1/auth/signup.
@ -55,6 +93,7 @@ func (h *authHandler) Signup(w http.ResponseWriter, r *http.Request) {
 	}
 	req.Email = strings.TrimSpace(strings.ToLower(req.Email))
 	req.Name = strings.TrimSpace(req.Name)
 	if !strings.Contains(req.Email, "@") || len(req.Email) < 3 {
 		writeError(w, http.StatusBadRequest, "invalid_request", "invalid email address")
 		return
@ -63,6 +102,10 @@ func (h *authHandler) Signup(w http.ResponseWriter, r *http.Request) {
 		writeError(w, http.StatusBadRequest, "invalid_request", "password must be at least 8 characters")
 		return
 	}
 	if req.Name == "" || len(req.Name) > 100 {
 		writeError(w, http.StatusBadRequest, "invalid_request", "name must be between 1 and 100 characters")
 		return
 	}
 	ctx := r.Context()
@ -87,6 +130,7 @@ func (h *authHandler) Signup(w http.ResponseWriter, r *http.Request) {
 		ID:           userID,
 		Email:        req.Email,
 		PasswordHash: pgtype.Text{String: passwordHash, Valid: true},
 		Name:         req.Name,
 	})
 	if err != nil {
 		var pgErr *pgconn.PgError
@ -102,7 +146,7 @@ func (h *authHandler) Signup(w http.ResponseWriter, r *http.Request) {
 	teamID := id.NewTeamID()
 	if _, err := qtx.InsertTeam(ctx, db.InsertTeamParams{
 		ID:   teamID,
-		Name: req.Email + "'s Team",
+		Name: req.Name + "'s Team",
 		Slug: id.NewTeamSlug(),
 	}); err != nil {
 		writeError(w, http.StatusInternalServerError, "db_error", "failed to create team")
@ -124,7 +168,7 @@ func (h *authHandler) Signup(w http.ResponseWriter, r *http.Request) {
 		return
 	}
-	token, err := auth.SignJWT(h.jwtSecret, userID, teamID, req.Email, "owner")
+	token, err := auth.SignJWT(h.jwtSecret, userID, teamID, req.Email, req.Name, "owner")
 	if err != nil {
 		writeError(w, http.StatusInternalServerError, "internal_error", "failed to generate token")
 		return
@ -135,6 +179,7 @@ func (h *authHandler) Signup(w http.ResponseWriter, r *http.Request) {
 		UserID: userID,
 		TeamID: teamID,
 		Email:  req.Email,
 		Name:   req.Name,
 	})
 }
@ -173,19 +218,17 @@ func (h *authHandler) Login(w http.ResponseWriter, r *http.Request) {
 		return
 	}
-	team, err := h.db.GetDefaultTeamForUser(ctx, user.ID)
+	team, role, err := loginTeam(ctx, h.db, user.ID)
 	if err != nil {
 		if errors.Is(err, pgx.ErrNoRows) {
 			writeError(w, http.StatusForbidden, "no_team", "user is not a member of any team")
 			return
 		}
 		writeError(w, http.StatusInternalServerError, "db_error", "failed to look up team")
 		return
 	}
-	membership, err := h.db.GetTeamMembership(ctx, db.GetTeamMembershipParams{UserID: user.ID, TeamID: team.ID})
+	token, err := auth.SignJWT(h.jwtSecret, user.ID, team.ID, user.Email, user.Name, role)
 	if err != nil {
 		writeError(w, http.StatusInternalServerError, "db_error", "failed to look up membership")
 		return
 	}
 	token, err := auth.SignJWT(h.jwtSecret, user.ID, team.ID, user.Email, membership.Role)
 	if err != nil {
 		writeError(w, http.StatusInternalServerError, "internal_error", "failed to generate token")
 		return
@ -196,6 +239,7 @@ func (h *authHandler) Login(w http.ResponseWriter, r *http.Request) {
 		UserID: user.ID,
 		TeamID: team.ID,
 		Email:  user.Email,
 		Name:   user.Name,
 	})
 }
@ -247,7 +291,14 @@ func (h *authHandler) SwitchTeam(w http.ResponseWriter, r *http.Request) {
 		return
 	}
-	token, err := auth.SignJWT(h.jwtSecret, ac.UserID, req.TeamID, ac.Email, membership.Role)
+	// Fetch current name from DB — JWT name is not trusted here (may be stale or empty for old tokens).
 	user, err := h.db.GetUserByID(ctx, ac.UserID)
 	if err != nil {
 		writeError(w, http.StatusInternalServerError, "db_error", "failed to look up user")
 		return
 	}
 	token, err := auth.SignJWT(h.jwtSecret, ac.UserID, req.TeamID, ac.Email, user.Name, membership.Role)
 	if err != nil {
 		writeError(w, http.StatusInternalServerError, "internal_error", "failed to generate token")
 		return
@ -258,5 +309,6 @@ func (h *authHandler) SwitchTeam(w http.ResponseWriter, r *http.Request) {
 		UserID: ac.UserID,
 		TeamID: req.TeamID,
 		Email:  ac.Email,
 		Name:   user.Name,
 	})
 }
--- a/internal/api/handlers_oauth.go
+++ b/internal/api/handlers_oauth.go
@ -150,25 +150,19 @@ func (h *oauthHandler) Callback(w http.ResponseWriter, r *http.Request) {
 			redirectWithError(w, r, redirectBase, "db_error")
 			return
 		}
-		team, err := h.db.GetDefaultTeamForUser(ctx, user.ID)
+		team, role, err := loginTeam(ctx, h.db, user.ID)
 		if err != nil {
 			slog.Error("oauth login: failed to get team", "error", err)
 			redirectWithError(w, r, redirectBase, "db_error")
 			return
 		}
-		membership, err := h.db.GetTeamMembership(ctx, db.GetTeamMembershipParams{UserID: user.ID, TeamID: team.ID})
+		token, err := auth.SignJWT(h.jwtSecret, user.ID, team.ID, user.Email, user.Name, role)
 		if err != nil {
 			slog.Error("oauth login: failed to get membership", "error", err)
 			redirectWithError(w, r, redirectBase, "db_error")
 			return
 		}
 		token, err := auth.SignJWT(h.jwtSecret, user.ID, team.ID, user.Email, membership.Role)
 		if err != nil {
 			slog.Error("oauth login: failed to sign jwt", "error", err)
 			redirectWithError(w, r, redirectBase, "internal_error")
 			return
 		}
-		redirectWithToken(w, r, redirectBase, token, user.ID, team.ID, user.Email)
+		redirectWithToken(w, r, redirectBase, token, user.ID, team.ID, user.Email, user.Name)
 		return
 	}
 	if !errors.Is(err, pgx.ErrNoRows) {
@ -205,6 +199,7 @@ func (h *oauthHandler) Callback(w http.ResponseWriter, r *http.Request) {
 	_, err = qtx.InsertUserOAuth(ctx, db.InsertUserOAuthParams{
 		ID:    userID,
 		Email: email,
 		Name:  profile.Name,
 	})
 	if err != nil {
 		var pgErr *pgconn.PgError
@ -260,14 +255,14 @@ func (h *oauthHandler) Callback(w http.ResponseWriter, r *http.Request) {
 		return
 	}
-	token, err := auth.SignJWT(h.jwtSecret, userID, teamID, email, "owner")
+	token, err := auth.SignJWT(h.jwtSecret, userID, teamID, email, profile.Name, "owner")
 	if err != nil {
 		slog.Error("oauth: failed to sign jwt", "error", err)
 		redirectWithError(w, r, redirectBase, "internal_error")
 		return
 	}
-	redirectWithToken(w, r, redirectBase, token, userID, teamID, email)
+	redirectWithToken(w, r, redirectBase, token, userID, teamID, email, profile.Name)
 }
 // retryAsLogin handles the race where a concurrent request already created the user.
@ -289,33 +284,28 @@ func (h *oauthHandler) retryAsLogin(w http.ResponseWriter, r *http.Request, prov
 		redirectWithError(w, r, redirectBase, "db_error")
 		return
 	}
-	team, err := h.db.GetDefaultTeamForUser(ctx, user.ID)
+	team, role, err := loginTeam(ctx, h.db, user.ID)
 	if err != nil {
 		slog.Error("oauth: retry login: failed to get team", "error", err)
 		redirectWithError(w, r, redirectBase, "db_error")
 		return
 	}
-	membership, err := h.db.GetTeamMembership(ctx, db.GetTeamMembershipParams{UserID: user.ID, TeamID: team.ID})
+	token, err := auth.SignJWT(h.jwtSecret, user.ID, team.ID, user.Email, user.Name, role)
 	if err != nil {
 		slog.Error("oauth: retry login: failed to get membership", "error", err)
 		redirectWithError(w, r, redirectBase, "db_error")
 		return
 	}
 	token, err := auth.SignJWT(h.jwtSecret, user.ID, team.ID, user.Email, membership.Role)
 	if err != nil {
 		slog.Error("oauth: retry login: failed to sign jwt", "error", err)
 		redirectWithError(w, r, redirectBase, "internal_error")
 		return
 	}
-	redirectWithToken(w, r, redirectBase, token, user.ID, team.ID, user.Email)
+	redirectWithToken(w, r, redirectBase, token, user.ID, team.ID, user.Email, user.Name)
 }
-func redirectWithToken(w http.ResponseWriter, r *http.Request, base, token, userID, teamID, email string) {
+func redirectWithToken(w http.ResponseWriter, r *http.Request, base, token, userID, teamID, email, name string) {
 	u := base + "?" + url.Values{
 		"token":   {token},
 		"user_id": {userID},
 		"team_id": {teamID},
 		"email":   {email},
 		"name":    {name},
 	}.Encode()
 	http.Redirect(w, r, u, http.StatusFound)
 }
--- a/internal/api/handlers_sandbox.go
+++ b/internal/api/handlers_sandbox.go
@ -79,6 +79,10 @@ func (h *sandboxHandler) Create(w http.ResponseWriter, r *http.Request) {
 	}
 	ac := auth.MustFromContext(r.Context())
 	if ac.TeamID == "" {
 		writeError(w, http.StatusForbidden, "no_team", "no active team context; re-authenticate")
 		return
 	}
 	sb, err := h.svc.Create(r.Context(), service.SandboxCreateParams{
 		TeamID:     ac.TeamID,
--- a/internal/api/handlers_team.go
+++ b/internal/api/handlers_team.go
@ -36,6 +36,7 @@ type teamWithRoleResponse struct {
 type memberResponse struct {
 	UserID   string `json:"user_id"`
 	Name     string `json:"name"`
 	Email    string `json:"email"`
 	Role     string `json:"role"`
 	JoinedAt string `json:"joined_at,omitempty"`
@ -56,6 +57,7 @@ func teamToResponse(t db.Team) teamResponse {
 func memberInfoToResponse(m service.MemberInfo) memberResponse {
 	return memberResponse{
 		UserID:   m.UserID,
 		Name:     m.Name,
 		Email:    m.Email,
 		Role:     m.Role,
 		JoinedAt: m.JoinedAt.Format(time.RFC3339),
--- a/internal/api/middleware_auth.go
+++ b/internal/api/middleware_auth.go
@ -45,6 +45,7 @@ func requireAPIKeyOrJWT(queries *db.Queries, jwtSecret []byte) func(http.Handler
 					TeamID: claims.TeamID,
 					UserID: claims.Subject,
 					Email:  claims.Email,
 					Name:   claims.Name,
 					Role:   claims.Role,
 				})
 				next.ServeHTTP(w, r.WithContext(ctx))
--- a/internal/api/middleware_jwt.go
+++ b/internal/api/middleware_jwt.go
@ -29,6 +29,7 @@ func requireJWT(secret []byte) func(http.Handler) http.Handler {
 				TeamID: claims.TeamID,
 				UserID: claims.Subject,
 				Email:  claims.Email,
 				Name:   claims.Name,
 				Role:   claims.Role,
 			})
 			next.ServeHTTP(w, r.WithContext(ctx))
--- a/internal/api/openapi.yaml
+++ b/internal/api/openapi.yaml
@ -1410,7 +1410,7 @@ components:
  schemas:
    SignupRequest:
      type: object
-      required: [email, password]
+      required: [email, password, name]
      properties:
        email:
          type: string
@ -1418,6 +1418,9 @@ components:
        password:
          type: string
          minLength: 8
        name:
          type: string
          maxLength: 100
    LoginRequest:
      type: object
@ -1441,6 +1444,8 @@ components:
          type: string
        email:
          type: string
        name:
          type: string
    CreateAPIKeyRequest:
      type: object
--- a/internal/auth/context.go
+++ b/internal/auth/context.go
@ -11,6 +11,7 @@ type AuthContext struct {
 	TeamID string
 	UserID string // empty when authenticated via API key
 	Email  string // empty when authenticated via API key
 	Name   string // empty when authenticated via API key
 	Role   string // owner, admin, or member; empty when authenticated via API key
 }
--- a/internal/auth/jwt.go
+++ b/internal/auth/jwt.go
@ -16,16 +16,18 @@ type Claims struct {
 	TeamID string `json:"team_id"`
 	Role   string `json:"role"` // owner, admin, or member within TeamID
 	Email  string `json:"email"`
 	Name   string `json:"name"`
 	jwt.RegisteredClaims
 }
 // SignJWT signs a new 6-hour JWT for the given user.
-func SignJWT(secret []byte, userID, teamID, email, role string) (string, error) {
+func SignJWT(secret []byte, userID, teamID, email, name, role string) (string, error) {
 	now := time.Now()
 	claims := Claims{
 		TeamID: teamID,
 		Role:   role,
 		Email:  email,
 		Name:   name,
 		RegisteredClaims: jwt.RegisteredClaims{
 			Subject:   userID,
 			IssuedAt:  jwt.NewNumericDate(now),
--- a/internal/db/models.go
+++ b/internal/db/models.go
@ -112,6 +112,7 @@ type User struct {
 	CreatedAt    pgtype.Timestamptz `json:"created_at"`
 	UpdatedAt    pgtype.Timestamptz `json:"updated_at"`
 	IsAdmin      bool               `json:"is_admin"`
 	Name         string             `json:"name"`
 }
 type UsersTeam struct {
--- a/internal/db/teams.sql.go
+++ b/internal/db/teams.sql.go
@ -26,7 +26,7 @@ func (q *Queries) DeleteTeamMember(ctx context.Context, arg DeleteTeamMemberPara
 }
 const getBYOCTeams = `-- name: GetBYOCTeams :many
-SELECT id, name, created_at, is_byoc, slug, deleted_at FROM teams WHERE is_byoc = TRUE ORDER BY created_at
+SELECT id, name, created_at, is_byoc, slug, deleted_at FROM teams WHERE is_byoc = TRUE AND deleted_at IS NULL ORDER BY created_at
 `
 func (q *Queries) GetBYOCTeams(ctx context.Context) ([]Team, error) {
@ -59,7 +59,7 @@ func (q *Queries) GetBYOCTeams(ctx context.Context) ([]Team, error) {
 const getDefaultTeamForUser = `-- name: GetDefaultTeamForUser :one
 SELECT t.id, t.name, t.created_at, t.is_byoc, t.slug, t.deleted_at FROM teams t
 JOIN users_teams ut ON ut.team_id = t.id
-WHERE ut.user_id = $1 AND ut.is_default = TRUE
+WHERE ut.user_id = $1 AND ut.is_default = TRUE AND t.deleted_at IS NULL
 LIMIT 1
 `
@ -114,7 +114,7 @@ func (q *Queries) GetTeamBySlug(ctx context.Context, slug string) (Team, error)
 }
 const getTeamMembers = `-- name: GetTeamMembers :many
-SELECT u.id, u.email, ut.role, ut.created_at AS joined_at
+SELECT u.id, u.name, u.email, ut.role, ut.created_at AS joined_at
 FROM users_teams ut
 JOIN users u ON u.id = ut.user_id
 WHERE ut.team_id = $1
@ -123,6 +123,7 @@ ORDER BY ut.created_at
 type GetTeamMembersRow struct {
 	ID       string             `json:"id"`
 	Name     string             `json:"name"`
 	Email    string             `json:"email"`
 	Role     string             `json:"role"`
 	JoinedAt pgtype.Timestamptz `json:"joined_at"`
@ -139,6 +140,7 @@ func (q *Queries) GetTeamMembers(ctx context.Context, teamID string) ([]GetTeamM
 		var i GetTeamMembersRow
 		if err := rows.Scan(
 			&i.ID,
 			&i.Name,
 			&i.Email,
 			&i.Role,
 			&i.JoinedAt,
--- a/internal/db/users.sql.go
+++ b/internal/db/users.sql.go
@ -55,7 +55,7 @@ func (q *Queries) GetAdminPermissions(ctx context.Context, userID string) ([]Adm
 }
 const getAdminUsers = `-- name: GetAdminUsers :many
-SELECT id, email, password_hash, created_at, updated_at, is_admin FROM users WHERE is_admin = TRUE ORDER BY created_at
+SELECT id, email, password_hash, created_at, updated_at, is_admin, name FROM users WHERE is_admin = TRUE ORDER BY created_at
 `
 func (q *Queries) GetAdminUsers(ctx context.Context) ([]User, error) {
@ -74,6 +74,7 @@ func (q *Queries) GetAdminUsers(ctx context.Context) ([]User, error) {
 			&i.CreatedAt,
 			&i.UpdatedAt,
 			&i.IsAdmin,
 			&i.Name,
 		); err != nil {
 			return nil, err
 		}
@ -86,7 +87,7 @@ func (q *Queries) GetAdminUsers(ctx context.Context) ([]User, error) {
 }
 const getUserByEmail = `-- name: GetUserByEmail :one
-SELECT id, email, password_hash, created_at, updated_at, is_admin FROM users WHERE email = $1
+SELECT id, email, password_hash, created_at, updated_at, is_admin, name FROM users WHERE email = $1
 `
 func (q *Queries) GetUserByEmail(ctx context.Context, email string) (User, error) {
@ -99,12 +100,13 @@ func (q *Queries) GetUserByEmail(ctx context.Context, email string) (User, error
 		&i.CreatedAt,
 		&i.UpdatedAt,
 		&i.IsAdmin,
 		&i.Name,
 	)
 	return i, err
 }
 const getUserByID = `-- name: GetUserByID :one
-SELECT id, email, password_hash, created_at, updated_at, is_admin FROM users WHERE id = $1
+SELECT id, email, password_hash, created_at, updated_at, is_admin, name FROM users WHERE id = $1
 `
 func (q *Queries) GetUserByID(ctx context.Context, id string) (User, error) {
@ -117,6 +119,7 @@ func (q *Queries) GetUserByID(ctx context.Context, id string) (User, error) {
 		&i.CreatedAt,
 		&i.UpdatedAt,
 		&i.IsAdmin,
 		&i.Name,
 	)
 	return i, err
 }
@ -156,19 +159,25 @@ func (q *Queries) InsertAdminPermission(ctx context.Context, arg InsertAdminPerm
 }
 const insertUser = `-- name: InsertUser :one
-INSERT INTO users (id, email, password_hash)
+INSERT INTO users (id, email, password_hash, name)
-VALUES ($1, $2, $3)
+VALUES ($1, $2, $3, $4)
-RETURNING id, email, password_hash, created_at, updated_at, is_admin
+RETURNING id, email, password_hash, created_at, updated_at, is_admin, name
 `
 type InsertUserParams struct {
 	ID           string      `json:"id"`
 	Email        string      `json:"email"`
 	PasswordHash pgtype.Text `json:"password_hash"`
 	Name         string      `json:"name"`
 }
 func (q *Queries) InsertUser(ctx context.Context, arg InsertUserParams) (User, error) {
-	row := q.db.QueryRow(ctx, insertUser, arg.ID, arg.Email, arg.PasswordHash)
+	row := q.db.QueryRow(ctx, insertUser,
 		arg.ID,
 		arg.Email,
 		arg.PasswordHash,
 		arg.Name,
 	)
 	var i User
 	err := row.Scan(
 		&i.ID,
@ -177,23 +186,25 @@ func (q *Queries) InsertUser(ctx context.Context, arg InsertUserParams) (User, e
 		&i.CreatedAt,
 		&i.UpdatedAt,
 		&i.IsAdmin,
 		&i.Name,
 	)
 	return i, err
 }
 const insertUserOAuth = `-- name: InsertUserOAuth :one
-INSERT INTO users (id, email)
+INSERT INTO users (id, email, name)
-VALUES ($1, $2)
+VALUES ($1, $2, $3)
-RETURNING id, email, password_hash, created_at, updated_at, is_admin
+RETURNING id, email, password_hash, created_at, updated_at, is_admin, name
 `
 type InsertUserOAuthParams struct {
 	ID    string `json:"id"`
 	Email string `json:"email"`
 	Name  string `json:"name"`
 }
 func (q *Queries) InsertUserOAuth(ctx context.Context, arg InsertUserOAuthParams) (User, error) {
-	row := q.db.QueryRow(ctx, insertUserOAuth, arg.ID, arg.Email)
+	row := q.db.QueryRow(ctx, insertUserOAuth, arg.ID, arg.Email, arg.Name)
 	var i User
 	err := row.Scan(
 		&i.ID,
@ -202,6 +213,7 @@ func (q *Queries) InsertUserOAuth(ctx context.Context, arg InsertUserOAuthParams
 		&i.CreatedAt,
 		&i.UpdatedAt,
 		&i.IsAdmin,
 		&i.Name,
 	)
 	return i, err
 }
@ -248,3 +260,17 @@ func (q *Queries) SetUserAdmin(ctx context.Context, arg SetUserAdminParams) erro
 	_, err := q.db.Exec(ctx, setUserAdmin, arg.ID, arg.IsAdmin)
 	return err
 }
 const updateUserName = `-- name: UpdateUserName :exec
 UPDATE users SET name = $2, updated_at = NOW() WHERE id = $1
 `
 type UpdateUserNameParams struct {
 	ID   string `json:"id"`
 	Name string `json:"name"`
 }
 func (q *Queries) UpdateUserName(ctx context.Context, arg UpdateUserNameParams) error {
 	_, err := q.db.Exec(ctx, updateUserName, arg.ID, arg.Name)
 	return err
 }
--- a/internal/service/host.go
+++ b/internal/service/host.go
@ -96,9 +96,10 @@ func (s *HostService) Create(ctx context.Context, p HostCreateParams) (HostCreat
 		}
 	}
-	// Validate team exists for BYOC hosts.
+	// Validate team exists and is not deleted for BYOC hosts.
 	if p.TeamID != "" {
-		if _, err := s.DB.GetTeam(ctx, p.TeamID); err != nil {
+		team, err := s.DB.GetTeam(ctx, p.TeamID)
 		if err != nil || team.DeletedAt.Valid {
 			return HostCreateResult{}, fmt.Errorf("invalid request: team not found")
 		}
 	}
--- a/internal/service/team.go
+++ b/internal/service/team.go
@ -33,9 +33,10 @@ type TeamWithRole struct {
 	Role string `json:"role"`
 }
-// MemberInfo is a team member with resolved email.
+// MemberInfo is a team member with resolved user details.
 type MemberInfo struct {
 	UserID   string    `json:"user_id"`
 	Name     string    `json:"name"`
 	Email    string    `json:"email"`
 	Role     string    `json:"role"`
 	JoinedAt time.Time `json:"joined_at"`
@ -215,6 +216,7 @@ func (s *TeamService) GetMembers(ctx context.Context, teamID string) ([]MemberIn
 		}
 		members[i] = MemberInfo{
 			UserID:   r.ID,
 			Name:     r.Name,
 			Email:    r.Email,
 			Role:     r.Role,
 			JoinedAt: joinedAt,
@ -262,7 +264,7 @@ func (s *TeamService) AddMember(ctx context.Context, teamID, callerUserID, email
 		return MemberInfo{}, fmt.Errorf("insert member: %w", err)
 	}
-	return MemberInfo{UserID: target.ID, Email: target.Email, Role: "member"}, nil
+	return MemberInfo{UserID: target.ID, Name: target.Name, Email: target.Email, Role: "member"}, nil
 }
 // RemoveMember removes a user from the team.